Companies that accept consumers’ personal data without reasonable and appropriate data security procedures to protect the data are considered by the Federal Trade Commission (the “FTC”) to be engaging in unfair, and potentially deceptive, trade practices, in violation of 15 U.S.C. §§ 45(a) and (n) (“Section 45”). Since 2002, the FTC has brought nearly 60 data security cases. Recent, highly-publicized cyber thefts of consumer data suggest the FTC’s enforcement activity will increase in years to come.

What the FTC Currently Expects Under Section 45

What does the FTC expect a company to do to comply with Section 45, you may ask?

1. A Tailored Plan (Not a Generic Checklist) Leading to Reasonable Protections

Unfortunately, the FTC has not provided a safe harbor checklist of its requirements under Section 45, nor has it issued regulations that give guidance concerning its interpretation of the extraordinarily broad language of this 100-year-old law. In the context of an enforcement action, Wyndham Worldwide Corporation argued—unsuccessfully—that the FTC had not given fair notice of what constitutes unfair practices of cybersecurity under Section 45(a). The Third Circuit rejected this argument, saying that the FTC’s previous enforcement actions and its guidebook entitled, “Protecting Personal Information: A Guide for Business,” gave Wyndham adequate notice that Wyndham might be found to violate Section 45. F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236, 256 (3d Cir. 2015).

Guidance from the FTC’s Enforcement Actions

Although the FTC emphasizes that a systematic analysis of a company’s facts and circumstances is necessary to determine what cybersecurity measures are necessary, some commentators have noted that the FTC’s enforcement actions suggest that the following data security practices are unfair no matter what:

• Lack of encryption
• Failing to check the security of a process
• Failing to remedy known security vulnerabilities
• Failing to implement common industry security practices
• Poor user name and password protocols

Examples of common industry security practices would likely include use of virus protection software, firewalls, security patches, data backups, and employee education on cybersecurity.

Guidance from Government Publications

Federal law does not provide a list of specific cybersecurity protections that each company must implement. But the federal government has, through the National Institute of Standards and Technology (“NIST”), adopted a set of generally-applicable industry standards and best practices for cybersecurity. If these standards and practices are not followed, the FTC would likely find a company to have committed an unfair trade practice.

The most recent NIST cybersecurity standards and practices are the result of an initiative that began on February 12, 2013, with President Obama’s issuance of Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which established that, “It is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” In enacting this federal public policy, Executive Order 13636 called for the development of a voluntary risk-based cybersecurity framework—a set of industry standards and best practices to help organizations manage cybersecurity risks.

In response, NIST created a collaboration between the federal government and the private sector to establish federal cybersecurity standards and best practices. On February 12, 2014, NIST released, “Framework for Improving Critical Infrastructure Cybersecurity” (Version 1.0) (the “Framework”). Although the Framework is expressly voluntarily, the FTC has used NIST standards for cybersecurity to assess whether companies have committed unfair trade practices. So it makes sense for companies to begin their cybersecurity self-evaluation by conducting the analysis set out in the Framework.

Several FTC resources are also available to companies to help them comply with Section 45, including these:

• “Start with Security: A Guide for Business.” The FTC says this guide provides “10 practical lessons businesses can learn from the FTC’s 50+ data security settlements.” The FTC has also created a series of very short videos covering important security tips, including these:
  “Start with Security: Free Resources for Any Business”
  “Keep Your Security Current”
  “Monitor Your Providers”

• “Protecting Personal Information: A Guide for Business,” which provides “practical tips for business on creating and implementing a plan for safeguarding personal information.”

1. Accurate Data Security Statements to Consumers

Companies often describe their data collection, retention, and security procedures to their customers, either because they have to under applicable law or because they choose to. The descriptions may be found in a privacy policy made available online, or in customer literature. Although it may be true that few customers actually read what companies have to say about their cybersecurity, the FTC treats inaccurate statements concerning cybersecurity as deceptive trade practices under Section 45. Therefore, companies should verify that what they tell their customers about their cybersecurity practices is actually true.

Conclusion

No company that accepts sensitive information from its customers can afford not to engage in a serious evaluation of its data collection and data security practices, as well as the representations it makes to customers about these subjects. Implementation of a cybersecurity program tailored to the company’s facts and circumstances not only reduces the probability of data breaches, but also reduces a host of criminal and civil litigation risks. Offit Kurman would be glad to assist in this process.

ABOUT DAVID GREBER

Mr. Greber is a Principal in Offit Kurman’s Business Law and Transactions Practice Group. His extensive business law experience includes representation of companies and corporations in all stages of their business life-cycle, from initial founding, through growth and expansion, to sale. His intellectual property law practice includes the protection of copyrights, trademarks, and trade secrets. He has also represented clients in state and federal court in a variety of civil litigation matters, including disputes among business owners and cases involving infringement of intellectual property rights.

ABOUT OFFIT KURMAN

Offit Kurman is one of the fastest-growing, full-service law firms in the Mid-Atlantic region. With over 120 attorneys offering a comprehensive range of services in virtually every legal category, the firm is well positioned to meet the needs of dynamic businesses and the people who own and operate them. Our eight offices serve individual and corporate clients in the Maryland, Delaware, New Jersey, and Northern Virginia markets, as well as the Washington DC, Baltimore, Philadelphia, and New York City metropolitan areas. At Offit Kurman, we are our clients’ most trusted legal advisors, professionals who help maximize and protect business value and personal wealth. In every interaction, we consistently maintain our clients’ confidence by remaining focused on furthering their objectives and achieving their goals in an efficient manner. Trust, knowledge, confidence—in a partner, that’s perfect.

You can connect with Offit Kurman via our Blog, Facebook, Twitter, Google+, YouTube, and LinkedIn pages. You can also sign up to receive Law Matters, Offit Kurman’s monthly newsletter covering a diverse selection of legal and corporate thought leadership content.